Skip to content
Insider threatContained

Coupang insider data breach (2025)

A former Coupang employee accessed personal data on 33.7 million customer accounts of South Korea's largest e-commerce platform. Coupang announced a $1.17 billion compensation plan; its head of Korean e-commerce resigned.

Victim
Coupang
Loss
$1.17B
records
33.7M
users
33.7M

In November 2025, Coupang β€” South Korea's largest online retailer, often described as the country's Amazon β€” disclosed that a former employee had accessed personal data on 33.7 million customer accounts, in what became one of the defining data-governance incidents in South Korean history.

What happened

Unauthorized access began on 24 June 2025, when credentials belonging to a former Coupang employee β€” a former Chinese national employee now residing abroad β€” were used to query Coupang's customer database from overseas servers. The activity went undetected for over four months.

Coupang detected unusual access on 6 November 2025 and traced the intrusion's last day to 8 November. After internal scoping was complete on 18 November, the company publicly disclosed the breach on 29 November 2025.

Exposed data included names, phone numbers, email addresses, delivery addresses, and order histories. Payment cards, banking data, and login credentials were not in the affected dataset.

Impact

  • 33.7 million customer accounts exposed β€” well over half of South Korea's population.
  • Coupang announced a 1.69 trillion won (~$1.17 billion USD) compensation plan: every affected customer receives a one-time, platform-only voucher worth about 50,000 won.
  • Park Dae-jun, head of Coupang's Korean e-commerce operations, resigned in mid-December 2025.
  • The incident became a focal point in South Korea's debate over data-governance reform and accelerated calls for stricter controls on insider access at platform companies.

Why it matters

Coupang did not fall to a zero-day or a state-backed APT β€” it fell to a credential that should have been revoked when its owner left the company. The four-month dwell time between unauthorized access and detection put under-investment in insider-threat monitoring at the centre of the discussion. The scale of the compensation programme β€” over a billion dollars in store-only vouchers β€” is also one of the largest private-sector breach restitution efforts on record.

Timeline

  1. Unauthorized access to customer data begins via overseas servers, using credentials of a former employee.

  2. Coupang detects unusual access at 18:38 KST.

  3. Last day of unauthorized access.

  4. Full scope of the breach identified internally.

  5. Coupang publicly discloses the breach: 33.7 million customer accounts affected.

  6. Park Dae-jun, head of Coupang's South Korean e-commerce operations, resigns amid public pressure.

  7. Compensation plan begins: each affected customer is issued a one-time platform voucher worth ~50,000 won (~$34.84); total programme value 1.69 trillion won (~$1.17 billion).

Sources

  1. incyber.orghttps://incyber.org/en/article/south-korea-data-breach-exposes-33-7-million-coupang-accounts/
  2. securityaffairs.comhttps://securityaffairs.com/186331/security/coupang-announces-1-17b-compensation-plan-for-33-7m-data-breach-victims.html
  3. securityweek.comhttps://www.securityweek.com/coupang-to-issue-1-17-billion-in-vouchers-over-data-breach/
  4. thediplomat.comhttps://thediplomat.com/2026/03/coupangs-data-breach-and-the-urgency-of-data-governance-reform-in-south-korea/

Related incidents

Insider threatResolved

Yandex.Eda customer data leak

Yandex's food-delivery service Yandex.Eda leaked the names, phone numbers, addresses, intercom codes and order details of more than 58,000 customers, which were later mapped onto an interactive public website. Russian regulator Roskomnadzor opened a case and a Moscow court fined the company 60,000 rubles.

Victim
Yandex.Eda
Loss
$700
Records
58.0K
Insider threatResolved

Yandex mail insider breach

Yandex disclosed that one of three administrators with privileged access to its email service had been selling unauthorized access to user mailboxes, compromising 4,887 inboxes before the company's internal security team detected the abuse during a routine review.

Victim
Yandex
Records
4.9K
Insider threatResolved

Korea Credit Bureau card-data theft

A contractor at the Korea Credit Bureau copied the card and identity data of about 20 million customers of KB Kookmin, Lotte and NH Nonghyup card firms onto a USB drive and sold it β€” one of the largest financial-data thefts in South Korean history.

Victim
Korea Credit Bureau (KCB) / KB Kookmin, Lotte, NH Nonghyup card units
Records
20.0M
Credential stuffingOngoing

FortiBleed: leaked dataset exposes VPN credentials for ~74,000 Fortinet firewalls

A dataset dubbed FortiBleed exposed valid Fortinet FortiGate VPN credentials β€” including plaintext passwords β€” for 73,932 firewall URLs across 194 countries, the product of a Russian-speaking crew that reused passwords from earlier breaches and infostealer logs rather than any new Fortinet vulnerability.

Victim
Organizations running Fortinet FortiGate firewalls worldwide